[Yahoo-eng-team] [Bug 1313956] Re: Keystone adds role to non-existing user in specific tenant by API

Wed, 02 Mar 2016 13:51:39 -0800 

V2 is deprecated and this behavior has been supported (intentional or
not). We can't really fix it, it will go away with the V2 api being
dropped.

** Changed in: keystone
       Status: In Progress => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1313956

Title:
  Keystone adds role to non-existing user in specific tenant by API

Status in OpenStack Identity (keystone):
  Won't Fix

Bug description:
  Icehouse, discovered during tempest testing:

  Scenario is adding role to non-existing user in specific tenant:

  Tenant-id = 2775ce375d624735b49347cdac41a946
  Role-id = 9fe2ff9ee4384b1894a90878d3e92bab
  User-id is some junk, like: junk-user-id-2999

  The problem exists only in API requests, cli command reports an error:
   
  @all-in-one:~# keystone user-role-add --user user-junk-id-101010 --role 
9fe2ff9ee4384b1894a90878d3e92bab --tenant 2775ce375d624735b49347cdac41a946
  No user with a name or ID of 'user-junk-id-101010' exists.

  With API:
   
  1) Authenticate and get token:
  curl -d '{"auth":{"tenantName": "openstack", "passwordCredentials": 
{"username": "admin", "password": "admin_password"}}}' -H "Content-type: 
application/json" http://localhost:35357/v2.0/tokens > /tmp/aaa
  sed -i 's/.*"id": "\(.\+\)==.*/\1==/g' /tmp/aaa
   
  2) Add existing role in existing tenant to non-existing user 
"junk-user-id-2999":
  curl -i -H "X-Auth-Token:`cat /tmp/aaa`" -X PUT 
http://localhost:35357/v2.0//tenants/2775ce375d624735b49347cdac41a946/users/junk-user-id-2999/roles/OS-KSADM/9fe2ff9ee4384b1894a90878d3e92bab
   
  output means success:
  {"role": {"enabled": "True", "description": "Default role for project 
membership", "name": "_member_", "id": "9fe2ff9ee4384b1894a90878d3e92bab"}}
   
  3) repeat the last request and get output:
  {"error": {"message": "Conflict occurred attempting to store role grant. User 
junk-user-id-2999 already has role 9fe2ff9ee4384b1894a90878d3e92bab in tenant 
2775ce375d624735b49347cdac41a946", "code": 409, "title": "Conflict"}}
   
  Seems like user is self-added.
  Although there are no such users in this tenant:
  curl  -H "X-Auth-Token:`cat /tmp/aaa`"  
http://localhost:35357/v2.0/tenants/2775ce375d624735b49347cdac41a946/users
  --- no junk-user-id-2999 here ---

  Seems like there is no user id check in API.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1313956/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to